CVE-2023-45853

Name of the Vulnerable Software and Affected Versions zlib versions through 1.3 pyminizip versions through 0.2.6

Description The issue is related to an integer overflow and resultant heap-based buffer overflow in the zipOpenNewFileInZip4 64 function of the MiniZip package in zlib, which can be triggered by a long filename, comment, or extra field. This can potentially allow a remote attacker to impact the integrity, availability, and confidentiality of protected information. The vulnerability is also present in pyminizip due to its use of an affected zlib version. According to recent data, this issue remains a top Android exploit, with a rising trend in recent months.

Recommendations For zlib versions through 1.3, update to a version that fixes the integer overflow issue in the zipOpenNewFileInZip4 64 function. For pyminizip versions through 0.2.6, update to a version that uses a fixed zlib version or restricts the use of the vulnerable MiniZip code through its compress API. As a temporary workaround, consider disabling the zipOpenNewFileInZip4 64 function until a patch is available. Restrict access to the vulnerable MiniZip code to minimize the risk of exploitation.